Re: [HTML imports]: Imports and Content Security Policy from Frederik Braun on 2014-01-10 (public-webapps@w3.org from January to March 2014)

From: Frederik Braun <fbraun@mozilla.com>
Date: Fri, 10 Jan 2014 15:08:00 +0100
To: Nick Krempel <ndkrempel@google.com>, Hajime Morrita <morrita@google.com>
CC: public-webapps <public-webapps@w3.org>, Gabor Krizsanits <gkrizsanits@mozilla.com>
Message-ID: <52CFFEC0.9090303@mozilla.com>

On 10.01.2014 14:51, Nick Krempel wrote:
> To clarify: your example is supposed to be an attack on imported.com
> <http://imported.com>, not example.com <http://example.com> (we can
> assume the attacker has control over example.com <http://example.com>)?
> 
> Nick
> 
> 
Yes, imagine an XSS vulnerability on example.com. Using this to include
imported.com shouldn't mean that the CSP in place (which allows
imported.com) is suddenly allowing everything that is also mentioned in
the policy of imported.com.

Quite contrary: If you include imported.com *and* you want to restrict
the resources working on your page, example.com (which is what CSP
does), you have to explicitly whitelist everything that imported.com
brings, otherwise those features won't work.

Received on Friday, 10 January 2014 14:08:35 UTC